arXiv:1504.05984v2 [cs.IT] 6 Aug 2015 


Reliable and secret communication over 
adversarial multi-path networks 

Qiaosheng (Eric) Zhang*^ Swanand Kadhe*^ 

Mayank Bakshi^ Sidharth Jaggi^ Alex Sprintson^ 

^Institute of Network Coding, Chinese University of Hong Kong ^Texas A& M University 


D 

Abstract —We consider the problem of communication over a 
multi-path network in the presence of a causal adversary. The 
limited-view causal adversary is able to eavesdrop on a subset 
of links and also jam on a potentially overlapping subset of 
links based on the current and past information. To ensure that 
the communication takes place reliably and secretly, resilient 
network codes with necessary redundancy are needed. We study 
two adversarial models - additive and overwrite jamming and we 
optionally assume passive feedback from decoder to encoder, i.e., 
the encoder sees everything that the decoder sees. The problem 
assumes transmissions are in the large alphabet regime. For both 
jamming models, we find the capacity under four scenarios 
- reliability without feedback, reliability and secrecy without 
feedback, reliability with passive feedback, reliability and secrecy 
with passive feedback. We observe that, in comparison to the non- 
causal setting, the capacity with a causal adversary is strictly 
increased for a wide variety of parameter settings and present 
our intuition through several examples. 

Index Terms —adversary, jamming, secrecy, causal, feedback 

I. Introduction 

Consider the following example of a communication prob¬ 
lem. Alice wishes to wirelessly transmit a message m to 
receiver Bob by communicating over C different frequencies. 
Their communication is intercepted by a limited-view adver¬ 
sary Calvin who has his receiver tuned to subset Zji of the 
frequencies, and can jam a potentially overlapping subset Zw 
of frequencies by adding transmissions on them. Due to the 
nature of the channel, Calvin can only see the signal up to the 
current time to maliciously determine his jamming strategy for 
the current time instant. We wish to answer questions of the 
following form: ‘"Without knowing which frequencies Calvin 
is monitoring/jamming, what is the maximum communication 
rate at which Bob can decode Alice’s message successfully, 
while keeping the message secret from Calvin?”. This example 
corresponds to a model in which Alice wishes to communicate 
reliably and secretly with Bob over a channel with an eaves¬ 
dropper/additive jammer. A variant of the problem is when, 
additionally, Alice can also hear the channel outputs (she too 
is monitoring all C frequencies, and therefore has passive 
feedback). In this variant we wish to understand whether this 
knowledge can improve the best possible rate. 

The work of Qiaosheng (Eric) Zhang, Mayank Bakshi and Sidharth Jaggi 
was partially supported by a grant from University Grants Committee of the 
Hong Kong Special Administrative Region, China (Project No. AoE/E-02/08). 
The work of Alex Sprintson was partially supported by the NSF under grant 
CNS-0954153 and by the AFOSR under contract No. FA9550-13-1-0008. 

* indicates equal contribution. 


We model this problem as that of communication over a 
noiseless multi-path network consisting of C parallel links 
between the sender and the receiver. As mentioned above, 
the adversary Calvin can eavesdrop on a subset Zp and jam 
on a subset Subsets Z/jvv , Zpo represent 

the links that Calvin can both eavesdrop on and jam, only 
eavesdrop on (but not jam) and only jam (but not eavesdrop 
on) respectively. In addition, the sizes of Z/jyy, Z/jo and Zwo 
are bounded from Zrw, Zro and Zyjo- The adversarial vector z 
= (Zru,, Zro, Zico) measures Calvin’s power. Moreover, Calvin 
also knows the encoding and decoding schemes so that he may 
mimic Alice’s behavior to confuse Bob. We consider a causal 
constraint on Calvin’s behaviors, i.e., Calvin can only use the 
knowledge of symbols up to the current time slot to decide 
his jamming strategy. 

Related work 

Reliable communication: The problem of reliable com¬ 
munication (with no secrecy constraints) against a malicious 
eavesdropping adversary has been well-studied in the past. The 
maximum possible rate has been characterized under various 
settings - both causal and non-causal. The non-causal setting is 
relatively well understood both in the classical error-correction 
setup 0-0 and the network error correction setting 0-0. 
A key feature of these results is that in many of these models, 
Calvin can decrease the capacity by twice the number of links 
he controls, by “pushing” Alice’s transmissions towards the 
“nearest plausible transmission”, thereby inflicting “double¬ 
damage”. This heuristic also suggests an intuitive scheme for 
Bob’s decoder - try to detect as many corrupted links as 
possible and treat those as erasures - in this case Calvin’s 
actions would only cause “single damage”. Critically, Calvin’s 
ability to cause double damage depends on his ability to be 
able to see the full transmission for each link in before 
determining the optimal jamming strategy for Z\y. 

In contrast, in the causal setting, by using stochastic encod¬ 
ing, the adversary may not be able to predict some of the future 
symbols, which can then be used to detect the set Zw- Causal 
adversaries for classical channel coding and network coding 

^RW, RO, WO stand for “read and write”, “read only” and “write only” 
respectively. In a wireless setting these sets may correspond to different 
physical constraints on Calvin’s ability to eavesdrop on or jam certain 
frequencies. In distributed storage system setting these sets may correspond 
to Calvin having or read-or-write, read-only, or write-only permissions on 
different devices. 


problems have also been well studied Q, fTO) . In pT) , the 
authors consider causal, omniscient adversaries for multicast 
networks, and characterize precise conditions under which any 
positive rate is achievable. Further, they also provide some 
upper and lower bounds on the rates. However, the question 
of characterizing the capacity in general networks containing 
malicious jammers remains open in the main. 

Reliable and secret communication: The problem of both 
reliable and secure communication over a network has also 
received considerable attention in the literature. For reliable, 
secure communication, GD characterize the capacity when 
Zro = Zu)o — 0. In 1^, the authors consider another extreme 
when the set of edges that are eavesdropped and jammed 
are disjoint, i.e., Zrw = 0. The capacity for a general z = 
{zrw, z:ro, Zwo) for a non-causal adversary with no feedback 
has been considered in a previous work Q by the authors of 
this work. 

Another model that is related to our setup is that of 
an adversarial wiretap (AWTP) channel p^ , wherein the 
adversary can eavesdrop up to a given fraction of symbols 
sent over a channel, and can jam another (possibly inter¬ 
secting) fraction of symbols based on what he eavesdrops. 
There are two key differences from our work; (i) the authors 
only consider the problem of additive jamming, and (ii) 
the capacity characterization is parametrized with “coarser 
granularity”, in that instead of parametrizing the problem in 
terms of (Zrw, Zro, Zwo), the authors parametrize it in terms 
of (zrw + Zro, Zrw + Zwo), i-c., in tetms of the total number of 
eavesdropped and jammed links. 

Another problem that is closely related to ours is that of 
Secure Message Transmission (SMT) p^ , p?) . Under SMT, a 
sender aims to communicate a message reliably and secretly to 
the receiver over multiple parallel links out of which a fraction 
of links are eavesdropped and another (possibly intersecting) 
fraction are jammed. There are a several differences from 
our model; (i) The SMT problem focusses on computing a 
lower bound on the number of links that are required for 
reliable and secret communication of one message symbol, and 
usually do not provide information-theoretically tight capacity 
characterizations, (ii) most schemes are multi-round, 2 -way 
protocols where the receiver can (actively) talk to the sender 
(though some protocols are indeed 1 -way), (iii) the problem 
parametrization is again in terms of {Zrw + Zro, Zrw + Zwo)- 

Our contributions 


transmitted packets with fake packets of his choice. 

In the setting without feedback. Theorems EEl state the 
capacity when secrecy is not required. Theorems and 
state our results with secrecy requirement and also without 
feedback. When passive feedback is available to the encoder, 
we characterize the capacity in Theorems |7] and and also 
consider secrecy in Theorems 9 and 10. 

The rest of this paper is organized as follows. In Section [II] 
we illustrate the role of causality in limiting the adversary’s 
power by giving four examples. We formally define the 
problem in Section and state our main results with short 
proof sketches in Section IV The detailed proofs are presented 
in Appendices [A||E| 


II. Key ideas 

The techniques used in this paper build upon the ideas 
introduced in 0, fig. In this section, we present a short 
intuitive overview of some of these ideas via toy examples. 


A. Ideas for achievability 

1) Reed-Solomon codes: The application of Reed-Solomon 
codes Q (or in fact, any MDS code) to network error- 
correction is well-studied. These are particularly useful when 
the parameters Zrw,Zro, and Zwo correspond to a “strong 
adversary” that can choose both the set Zw and the corrupted 
codewords in a “worst-case” manner^ If Bob were able to 
detect the set Zw with high probability, this would allow him 
to treat the set Zw as “erasures”, thus enabling a rate of C—Zw 
to be achievable - indeed, this is what some of the schemes 
we present attempt to do 0 

2) Pairwise-hashing: When the adversary has limited 
knowledge of the transmitted codewords, in some settings a 
pairwise-hashing scheme is useful in detecting the set Z^j^ and 
enabling treating the corrupted set of links as erasures 1121 .The 
following example presents the main intuition here. 


Example 1 (Limited-view non-causal adversary ^/). Con¬ 
sider a network with three links Li,L 2 and L 3 , and an 
adversary Calvin that can both read and write on exactly 
one link, i.e., Zrw = 1 and Zwo = Zro = 0. Even though 
the zero-error capacity of this network is C — 2zw = 1 , we 
argue that in the vanishing error probability setup, the link 
Zjiw can be detected and the rate is C — Zrw = 2. The 
codeword sent on the link Li consists of three parts - the z-th 
symbol from a (3, 2) Reed-Solomon codeword Ui, a random 
key Ki, and hash values Hii,Hi 2 , Ha with Hij — h{Ki, Lff) 


We consider the problem of causal jamming with an 
optional secrecy requirement. Taking cue from our prior 
work ||^, we consider a finer characterization of the adver¬ 
sary’s power by classifying his controlled links into read¬ 
only, write-only, and read-and-write subsets. We examine this 
problem in two settings - additive and overwrite jamming. 
The motivation for an additive adversary comes from wireless 
networks, where, the adversary may add his own signal to the 
transmitted signal. On the other hand, the overwrite adversary 
models the adversarial action in a wired network, where 
the adversary is more likely to completely replace the true 


^Notice that for a write only link, the overwrite adversary knows the 
output codewords while the additive adversary has no way to learn the output 
codewords. 

^The simplest example of a strong adversary is an omniscient one, i.e., 
when Zr = C. However, the exact parameter settings that correspond to a 
strong adversary depend on the flavour of the problem being considered, e.g. 
causal vs non-causal, overwrite vs additive etc. 

“^It is important here to make a distinction between zero error probability 
{i.e., robustness to worst-case errors) and vanishing error probability require¬ 
ments. In the former case one can use the Singleton bound to see that 
the best achievable rate is C — 2zw regardless of what the adversary knows. 
However, the Singleton bound requires Calvin to know the entire transmission. 
Hence, in the latter setup, a higher rate may be achievable if the adversary 
has limited eavesdropping power. 






for a suitably designed non-linear hash function Upon 

receiving the codewords, Bob checks consistency within each 
pair of links {Li, Lj) by verifying if the received values satisfy 
both Hij = h{Ki, Uj) and Hji = h{Kj, Ui). Without loss of 
generality, assume that Calvin choses Z^w = {^ 1 } (unknown 
to Alice and Bob) and corrupts {Ui, Ki, Hu, H12, -ffia). Note 
that since Calvin does not know the values of K2 and K3, it 
can be shown that the probability that he can satisfy the checks 
for H21 and H^i is small if he choses to change Ui. On the 
other hand, links L 2 and L 3 cross-verify all of their mutual 
hashes successfully, thus isolating Li as the corrupted link. As 
a result. Bob can successfully decode the message by treating 
Ui as an erasure for the Reed-Solomon code. □ 

The scheme in the Example [T] exploits the adversary know¬ 
ing only a subset of what the decoder sees. In the problems 
considered in this paper, the additional assumption of causality 
further limits his view and enables a higher rate. For example, 
in the three link network above, even if we permit the 
adversary to read all the links (i.e., Zro = 2 , Zrw = 1 ), the fact 
that the adversary does not know the random keys Ki,K2, 
while perturbing the selected Ui prevent him from being able 
to deterministically match the corresponding pairwise hashes. 
This allows the decoder to detect the corrupted link. 

3) Adversary detection with passive feedback: We use a 
similar idea as above in the setting with passive feedback {i.e., 
the encoder overhears all past symbols received by the decoder 
before transmitting the current symbol). In this case, the rate 
C — Zu) is possible for an even larger set of parameters by 
using a multi-round scheme that lets Bob detect the set of 
corrupted links. 

Example 2 {Adversary detection). Consider a two link net¬ 
work with Zrw = Ij-Zr-o = Zwo = 0. Here, no positive rate 
is possible without feedback {c.f. Example |^. However, with 
passive feedback, a rate of 1 is possible. To see this, consider a 
two-round scheme. Alice first generates two independent and 
uniformly random keys Ki and K 2 . Next, for a message M, 
Alice transmits {M, Ki) and (M, K 2 ) on links Li and L 2 re¬ 
spectively in the first round. Now, Alice sees both the received 
codewords, say {Mi, Ki) and (M 2 , K 2 ), and determines if any 
of the links were corrupted by Calvin. In the second round, 
Alice sends hash H = {h{Mi, Ki),h{M 2 , K 2 )) on all links 
that she determines to be uncorrupted in the first round, while 
sending uniformly random bits having the same length as H 
on the corrupted links. This lets Bob detect and ignore any 
link corrupted in the first round and decode the message from 
the uncorrupted link(s). Note that since Calvin sees only one 
link, he cannot ensure that the second round codeword on any 
link corrupted by him satisfies the hash equation. 

The intuition is that the encoder can use his feedback 
to first determine which links have been corrupted by the 
adversary and then convey this information to the decoder by 
sending values consistent with the hash function only on the 
uncorrupted links (and inconsistent values on others). 

4) Mixing keys for secrecy: In the setting where informa¬ 
tion theoretic secrecy is demanded in addition to reliability. 


we use standard one-time pad arguments that mix the message 
with random keys. Since the adversary can see up to Zr links, 
as long as the key rate is at least Zr, we show that the secrecy 
requirement is met. The error correcting code is chosen so that 
both the message and the key are decoded by the receiver. As a 
result, as long as the overall rate decreases by Zr, both secrecy 
and reliability are simultaneously met. 

5 ) Secret key extraction via passive feedback: A surprising 
effect of passive feedback is that it allows Alice and Bob to 
extract secret keys from corrupted links as long as the received 
codeword on the link is hidden from Calvin. This allows for 
simultaneous reliable and secret transmission at rates higher 
than that achievable by just mixing Zr random keys with the 
message. The following example of an additive adversary {i.e., 
on Zwo links, Calvin adds an error vector to the transmitted 
codeword without necessarily knowing what was sent by 
Alice) illustrates the key idea that enables achieving the rate 
minjC — Zr,C — Zw} in the additive setting. 

Example 3 {Secret key extraction). Consider a two link 
network with Zro = Zwo = 1- Here, no positive rate is possible 
for simultaneous reliable and secret transmission without feed¬ 
back. However, with passive feedback, the following multi¬ 
round protocol achieves an asymptotic rate of 1. Let the 
message M = Mi M 2 ... Mn be a length-n binary vector. The 
transmission is divided into three-stages. In the i-th round of 
the first stage, Alice generates a random bit Kj and sends 
Xij = Mj on the first link and X 2 ,j = Mj 0 Kj on 
the second link. After each bit is received, Alice checks if 
any of the two links have been corrupted by Calvin. Let c 
be the first round where Calvin has corrupted one of the 
links, say link Li, i.e., Yi^c = Xi^c © for some Ec. Alice 
now starts the second stage of transmission. In each round 
j = c+ l,...,n+l, Alice sends Xij = Kj on the corrupted 
link Li and Xi^i+ij = Mj_i + Ti j_i on the uncorrupted 
link. Note that since Calvin has revealed that Li G 
Alice knows that Calvin cannot infer the values of Tj j as 
each Xij is independent of ..., Xi(^i+i^n+i- Thus, 

in the second stage of transmission, Yij acts as a shared key 
for secret transmission on the uncorrupted link for the {i + 1 )- 
th round. Finally, in the third stage, Alice transmits the values 
of c and i by using the reliable transmission scheme (without 
secrecy) of Example 

B. Ideas for the converse 

1) Cutset bound: Since the adversary can corrupt links, 
he can replace the codewords on the links in Z^ by uniformly 
random symbols independent of the original codewords. By a 
simple argument based on Fano’s inequality, one can conclude 
that no rate higher than C — Zw is possible if the error 
probability must vanish to 0 . 

2) A symmetrization argument A tighter converse than 
the above can be obtained when the adversary is “powerful 
enough”. For example, in the setting without feedback, if the 

^Note that decreasing the rate by Zr suffices even when Alice does not know 
the set of links corrupted by Calvin. Surprisingly, when Alice can learn the 
set of links corrupted by Calvin in previous rounds of a multi-round scheme, 
the secrecy capacity may be higher (as seen in Example [3| 



Fig. 1: System diagram for a multi-path network consisting of C 
parallel links (C — 7 in this example). 


adversary can corrupt at least half of the links, no positive 
rate is possible. The argument here is similar to the Singleton 
Bound 0 and allows for stochastic encoding as well. The 
following example illustrates the idea. 

Example 4 (Symmetrization with a causal adversary). Con¬ 
sider a three link network under attack from a causal adversary 
with Zrw = 2 and z^o = Zro = 0. It is straightforward 
to see that the pairwise hashing scheme can be foiled by 
the adversary - he can ensure that the two links in Zw 
satisfy each other’s hashes and thus there is no reliable way 
for the decoder to determine the uncorrupted link. More 
generally, for any coding scheme, the adversary can follow 
a symmetrization strategy as follows. Suppose the encoder 
maps message m to codewords xi,X 2 ,X 3 according to an en¬ 
coder conditional probability distribution Pxi,x: 2 ,x: 3 |m|^ The 
adversary first chooses a message m' uniformly at random 
from the set of possible messages and draws codewords 
x'l,X 2 ,x';j according to the conditional probability distribution 
PXi,X2,X3\m (2^1) 3 ^ 2 ,2^3 1 to '). Next, the adversary chooses 
to be either {Li} or {L 2 ,T 3 } with equal probability and 
replaces the codewords {xi : i G Zyy) by (x' : i G Zw)- Now, 
from the decoder’s point of view, given the received codewords 
2 / 1 :2/2:2/3: the messages to and to' are equally likely. Thus, the 
decoder cannot reliably determine whether the true message 
is TO or to' and as a result the error probability is bounded 
away from 0 for any code of positive rate. □ 

When feedback is present, an argument similar to the above 
holds, albeit for a smaller set of adversarial parameters. With 
feedback, since the code operates over multiple rounds, the 
adversary needs to be sufficiently powerful to be able to 
fool the decoder even when the encoder knows the received 
codewords on the links in Z^/. 

III. Problem Statement 

The multi-path network model and the encoding/decoding 
process are illustrated in Figure [T] In our setting, the multi-path 
network consists of C parallel, directed links Li, L 2 ,...,Tc- 
For the equal link capacity network, each link is of unit 
capacity. For a general unequal link capacity network, the 
capacity of link Li is denoted by Ui, Vi G {0,1,.. ., C}. The 
total capacity of a unequal link capacity network is defined 

®Note that both a deterministic encoder as well as an encoder using pairwise 
hashing can be viewed as special cases under this formalism. 


as C bits per use, where C := ^ In particular, the total 

i—1 

capacity of the equal link capacity is C bits per use. We also 
optionally consider passive feedback available causally at the 
transmitter, i.e., the transmitted overhears the received symbols 
at the decoder causally. 

We begin by formally describing the encoder, decoder, and 
possible adversarial actions for a code for block length n, i.e., 
for a code that operates over n time steps and r rounds {r < n 
with r = 1 denoting the case without feedback). For simplicity, 
we focus on networks with equal link capacity and deal with 
the unequal link capacity case only informally. 

In the following, matrices X = and 

Y = ... y(’’)] respectively denote the collection 

of transmitted and received codewords across all links for 
all rounds. Here, X^^'i (resp. is a matrix whose i-th 

row X^^'^ (resp. denotes the transmitted (resp. received) 

codeword on link Li in the /c-th round. 

A. Encoder 

The transmitter Alice encodes a nR-hit message to, where 
R stands for the message rate. The message to is assumed 
to be uniformly distributed from {0,1}" . To perform a 
stochastic encoding, a random key k, which is uniformed 
distributed from the finite field F 2 t, is also generated by Alice. 

In the first round, Alice encodes to into a collection of 
C n-length codewords x[^\ X 2 ^\ ..., X^\ In this case, the 
encoder function for the first round takes the form 

: (0,1}^" X F 2 t ^ (0, . 

If no feedback is present, no further actions are performed by 
Alice. In this case, = n. 

If feedback is present, in each subsequent round k, Alice’s 
codewords , X^'^ ,■■■■, are each of length and 
are determined by the message to, the random key k, and the 
feedback from prior rounds Formally, Alice’s 

encoder for the i-th round takes the form 

k—1 

: (0,1}^” X F 2 t X (0,1}^"“' ^ (0,1}^"'"' , 
i=i 

where, X]fe=i 

B. Decoder 

The decoder Bob receives the code matrix Y, which may 
be different from X and outputs a reconstruction m. The 
decoding function takes the form 

7 e(r) :{ 0 , 1 }"^^{ 0 , 1 }"^. 

C. Adversary 

Out of the C links of the multi-path network, the adversary 
Calvin is able to eavesdrop (but not jam) a subset Zpo of 
size Zro, jam (but not eavesdrop) a subset Zwo of size z^o, 
both eavesdrop and jam a subset Zpw of Zrw Calvin’s power 
is measured by the adversarial vector z = (Zmj, Zro, Zwo)- 
The encoding and decoding strategies are known to Calvin. 
However, the two end users do not know how Calvin chooses 
Zpo, Xowo and Z^w in advance. 











1) Additive and Overwrite Jamming: An additive jammer 
may induce additive bias on the transmitted codeword. Assume 
the codeword transmitted on Ljis ^^and t^ bias is l^i, the 
received codeword would heYi = Xi + Ei. On the other 
hand, an overwrite adversary can overwrite the transmitted 
codeword by its own one directly. If the codeword is and 
the bias is^i, the received codeword will be = A. 

2) Causal Adversary: We restrict the adversary to be 
causal, i.e., the adversary is only allowed to jam the symbol 
of curTent time slot based on the observation of curTent and 
past time slots. More specifically, at any given time t, given a 
C xn code matrix X, the adversary can use the knowledge of 
only the first t symbols from rows in subset U Z^o in 
order to jam the t-th symbols from the rows in Zjmr U Zy^o- 


In contrast, a non-causal adversary |I6| enjoys the full 
knowledge of all the symbols in the rows belonging to 
Zrw U Zro at all times. Obviously, the non-causal adversary 
has a stronger power and leads to a potentially lower rate. 

3) Reliability and Security: Instead of a zero-error prob¬ 
ability, we aim to achieve an e-etTor probability. The com¬ 
munication is reliable if for any £ > 0, by choosing n large 
enough, there exists a code of block length n such that the 
error probability = Pr[m ^ m] < £. 

In terms of security, we aim to achieve the information- 
theoretically perfect secrecy. Assume the subset Calvin can 
eavesdrop is Zr = {ii, Z 2 , • • • , izA and the sub-codeword on 
Zr links is Xz^ = [Xf^ Xf^ ■ ■ ■ Xf^ ]^. To achieve security, 
the mutual-information between the message and Calvin’s 
observation should be zero, i.e. / (M; XzA — 0. 

IV. Main Results 

In this section, we present the main results and sketch 
their proofs. The full proofs of the results can be found 
in Appendices B]|E We group our results into four parts - 
reliability without feedback, reliability and secrecy without 
feedback, reliability with feedback, as well as reliability and 
secrecy with feedback. For each of these cases, we discuss 
the additive jamming and the overwrite jamming separately. 
Finally, we give a “complete” characterization of the problem 
in Table U 


A. Reliability without feedback 

For both additive and overwrite jammers, we obtain a 
two-part rate-region, i.e. weak adversary regime and strong 
adversary regime. The weak adversary regime for additive 
jamming is 


jrodd _ f z- . ^ 
^w,nf 




whereas for overwrite jamming, the weak adversary regime is 


ZZ^^f = {z:2z^o + 2zr^<C}. 

The strong adversary regime equals the complement of the 
weak adversary regime. In the weak adversary regime, the 
achievability relies on erasure codes coupled with the pairwise¬ 
hashing scheme. The rate is limited to zero in the strong 
adversary regime. 




Fig. 2: The rate regions for additive and overwrite causal jamming 
adversaries (Theorem 1 and 2): for additive (resp. overwrite) jam¬ 
ming, the pentahedron V 3 OF 2 F 5 V 4 (resp. OVjVsViVrVe) represents 
the weak adversary regime, while the polyhedron F 3 V 4 V 5 V 1 (resp. 
ViVsVsVjVrVe) represents the strong adversary regime. 


First we consider the scenario when reliable communication 
is the only objective. For equal and unequal link capacity 
networks, for any z = {zrw, Zro, Zwo) such that Zrw + Zro + 
Zwo < C, the maximum achievable reliable rates for additive 
and overwrite jamming are characterized in the following. 


Theorem 1 (Additive jamming for equal link capacities). 
Under additive causal jamming, the maximum achievable 
reliable rate is 


Rf‘^iC,z) 



otherwise. 


Theorem 2 (Overwrite jamming for equal link capacities). 
Under overwrite causal jamming, the maximum achievable 
reliable rate is 


R°-{C,z) 



otherwise. 


For additive jamming and overwrite jamming, the two-part 
rate-regions are slightly different though the expressions are 
similar. Note that, regardless of the coding scheme, the best 
rate that we can hope for is C — z^ since the adversary 
can corrupt any z^ links. In the weak adversary regime, the 
best rate C — z^ is indeed achievable. To achieve it, the 
encoder would use an erasure code to encode the message and 
apply the pairwise-hashing scheme to help detect errors. The 
decoder detects the corrupted links first (which are regarded 
as erasures) and then the message will be retrieved from the 
sub-codewords carried by the uncorrupted links. 

However, no coding scheme (including pairwise-hashing) 
works for the strong adversary regime. The adversary can 
always adopt a “symmetrization” strategy so that the decoder 
is unable to distinguish the correct message and the fake mes¬ 
sage. The proof of the converse relies on an argument based 
on the Singleton bound Q that we present in Appendix 

Unequal link capacities: To incur maximum damage, the 
adversary may choose links with highest sum-rate to attack. 
We define the the total capacity of any subset of size w links as 
Uyj. Different choice of the subsets may incur different values 
of Uyj. Typically, the notation {Uw)max is used to denote 
the maximum value of U^, i.e. the largest sum-capacity of 











all possible subsets of size w. Similar to the situation with 
equal link capacities, the main idea is also encoding by erasure 
codes as well as adopting “pairwise-hashing” scheme to detect 
adversarial attacks. However, the only difference is that the 
maximum rate depends on Calvin’s ability to corrupt the links 
with largest sum-capacities. 


Theorem 3 (Additive jamming for unequal link capacities). 
Under additive causal jamming, the maximum achievable 
reliable rate is 


Rf^{C,z) 


0 , 


+ Z: 


.)) 


max 1 


otherwise. 


Theorem 4 (Overwrite jamming and unequal link capacities). 
Under overwrite causal jamming, the maximum achievable 
reliable rate is 


R°^{C,z) 


0 , 




.)) 


max 5 


otherwise. 


B. Reliability and secrecy without feedback 

In this section, we consider the scenario wherein Calvin 
tries to learn some information about Alice’s message from the 
links he eavesdrops. Besides reliable communication, we also 
want to prevent Calvin from gaining any information about 
the message. For this, we consider information-theoretically 
perfect secrecy, which requires that I {M-,Xz,f) = 0, where 
Xzfi is the sub-codeword transmitted on the links in Zr. In the 
following, we characterize the reliable and secure rate region 
in the equal link capacity case for the causal adversary. 


Theorem 5 (Additive, causal jamming with secrecy, equal 
link capacities). Under additive causal jamming, the maximum 
achievable reliable and secret rate is 

~ + Zro + 2Zru,)) if Z € , 

|0 Otherwise, 

where (a;)’’" is defined as (a;)"*" = max{ 0 ,a;}. 


Theorem 6 (Overwrite, causal jamming with secrecy, equal 
link capacities). Under overwrite causal jamming, the maxi¬ 
mum achievable reliable and secret rate is 


riow 


(z) = 



Zro “b 2^7.^^)) 


ifzGZ:, 

otherwise 


ow 

w,nf ’ 


where (a;)'*' is defined as (a;)'*' = max{ 0 ,a;}. 


The converse for the weak adversary regime (for both 
additive and overwrite jamming) follows from the standard 
information-theoretic inequalities, where we use the secrecy 
condition that any subset of Zr = {zr^) -b Zro) links cannot 
carry any meaningful information. In the achievable scheme, 
Alice needs to mix her message with Zr random keys and 
then use the reliable encoding scheme consisting of pairwise 
hashing and erasure coding. For the strong adversary regime, 
the converse is based on the Singleton-type arguments similar 
to the only reliability case. We present the detail proof in 
Appendix 


C. Reliability with passive feedback 

In this section, we examine the effect of passive feedback 
on the capacity under jamming for both additive and overwrite 
settings. For both these cases, the parameter space again 
decomposes into two parts - the weak adversary regime and 
strong adversary regime. 

The main idea for achievability of the claimed rate in the 
weak adversary regime is to use a two-round code. The first 
round involves sending a code that can handle up to Zrw + 
Ziuo erasures. At the end of the first round, Alice sees the 
codewords received by Bob and determines the links which 
have been corrupted. In the next round, Alice sends a random 
hash of all the received codewords by Bob on the uncorrupted 
links from first round. Bob can then check the received values 
from the second round to determine the links where the hash 
values do not match the received codeword and treat those 
links as erasures. 

The above scheme works as long as there is at least one 
link whose output is not seen by Calvin. This corresponds 
exactly to the condition for the weak adversary in the following 
theorems. If Calvin is able to see the output of all the links, 
he is as powerful as Alice and feedback no longer helps. 


Theorem 7 (Additive Jamming with Causal Feedback). Under 
an additive jamming with causal feedback, the capacity is 

j^add _ / ^ ^ and C 2 ^ 77 , 

[ C — Zu] otherwise 


Theorem 8 (Overwrite Jamming with Causal Feedback). Un¬ 
der an overwrite jamming with causal feedback, the capacity 
is 

j^ow _ f max {C 0} if Zj.q -b .^7.77; -t- 277777 ~ ^ 

bf y C — Zw otherwise 

We present the detailed proof in Appendix 


D. Reliability and secrecy with passive feedback 

The schemes for secrecy are similar to that for only reliabil¬ 
ity. The idea here is to mix appropriate number of random keys 
so as to prevent Calvin from inferring meaningful information. 
The protocols operate over multiple rounds. For overwrite 
jamming, Alice begins with mixing Zr number of keys. If 
Calvin corrupts a link, Alice detects the corrupted link through 
passive feedback and stops using that link from the next 
round. After Calvin corrupts 277 , 7 , links, for any more link 
that he corrupts, Alice reduces the number of random keys 
by one. In essence, Alice does not send any data on (up to) 
277 , links that Calvin corrupts, and uses Zro number of random 
keys. Roughly speaking, the scheme is secure because Calvin 
does not observe anything on z^w links, and 27 , 7 , number of 
random keys protect the data on Zro links that Calvin can only 
eavesdrop. 

For additive jamming, Alice leverages the fact that Calvin 
cannot observe data on 277,0 links. Here, when Calvin corrupts 
a link, she starts sending random symbols on that link. The 
idea is that, even after Calvin corrupts the symbols by adding 
any noise of his choice, z^o of them can be used as keys for 


TABLE I: The table gives expressions for the information-theoretically optimal rate regions in each scenario. The yellow cells refer to the 
main results presented in ASP. The new results presented in this paper are shown in red cells. We use (a;)”*" to represent max {0, x}. 


Model 

regime 

reliability 

reliability & secrecy 

Non- 

causal 

additive 

^wo 2z-p^ <C. C 

^ro “b ^wo “b 5^ C 

^ro “b 2Ziuo A 2Zj^i)j <C C 

Zr-a + 2z^^o + 2Zr^^^ > C 

c — (Zr„ - 1 - z„o) 

(C - 2Zr„ - z„o) + 

C — (Zru, -1- Zrao) 

C- 

(C - 2zr™ - 2z„o) + 

(C- (A2.,„+2.„J,„ax) + 

(C - - 2^0 - 2Zrw)^ 

0 

(C — Zro — Zwo — 2Zrw)'^ 

0 

overwrite 

Causal w/o 
feedback 

additive 

-1- < C 

-1- 2zr„ > G 

2ziu(j -j- 2zj-i^ <C C 

Z^a + 2Zr^ > C 

C — (Zrm -1- Z„o) 

C- 

0 

C - (Zr„ - 1 - z„o) 

0 

(C - .Sr-o - 2^0 - 2Zrw)'^ 

0 

{C — Zro — Zyjo — 2Zrw)'^ 

0 

overwrite 

Causal with 
passive feedback 

additive 

{zr- - C and 2z^ <C}\J {z^- < C} 

Zr — C and 2z-u} > C 

Zro + Z^o + Zrw < C 

Zro + Zwo + Zrw — C 

C - (Zx„ -1- z„o) 

0 

C — (Zxm -1- Z„o) 

(C - 2z„o - 2zx„) + 

min {C — Zr,C — Zw) 

0 

(C - - 2^0 - Zrw)^ 

0 

overwrite 


the next round. This limits the number of explicit keys to be 
mixed and enhances the rate. 

The following theorem formally states the capacity expres¬ 
sions for the above settings. 


Theorem 9 (Secrecy capacity with Causal Feedback, Additive 
Jamming). When causal passive feedback available to the 
encoder, the capacity for simultaneous reliability and secrecy 
is given by 


T^add 


(C — Zr)~^ if Zr > Zyj 
iC Zw )~^ tf ^ 


Theorem 10 (Secrecy capacity with Causal Feedback, Over¬ 
write Jamming). When causal passive feedback available to 
the encoder, the capacity for simultaneous reliability and 
secrecy is given by 


T^OW 


ZfQ ^wo ^rw) 


As earlier, we give the full proof in Appendix 

References 

[1] I. Reed and G. Solomon, “Polynomial codes over certain finite 

fields,” Journal of the Society for Industrial and Applied Mathematics, 
vol. 8, no. 2, pp. 300-304, 1960. [Online]. Available: http: 

//dx.doi.org/10.1137/0108018 

[2] R. C. Singleton, “Maximum distance q -nary codes,” Information Theory, 
IEEE Transactions on, vol. 10, no. 2, pp. 116-118, Apr 1964. 

[3] L. H. Ozarow and A. D. Wyner, “Wire-tap channel II,” in Proc. 
EUROCRYPT 84 workshop on Advances in cryptology: theory and 
applicationof cryptographic techniques. New York, NY, USA: Springer- 
Verlag New York, Inc., 1985, pp. 33-51. 

[4] A. Lapidoth and P. Narayan, “Reliable communication under channel 
uncertainty,” IEEE Transactions on Information Theory, vol. 44, no. 6, 
pp. 2148-2177, Oct. 1998. 

[5] S. Jaggi, M. Langberg, T. Ho, and M. Effros, “Correction of adversarial 
en'ors in networks,” in Proceedings of International Symposium in 
Information Theory (ISIT 2005), Adelaide, Australia, 2005, pp. 1455- 
1459. 

[6] H. Yao, D. Silva, S. Jaggi, and M. Langberg, “Network codes resilient 
to jamming and eavesdropping,” in Proc. Workshop on Network Coding 
Theory and Applications, Toronto, Canada, Jun. 9-11 2010. 


[7] S. Jaggi and M. Langberg, “Network security,” in Network Coding: 
Eundamentals and Applications, M. Medard and A. Sprintson, Eds. 
Academic Press, 2012. 

[8] Q. Zhang, S. Kadhe, M. Bakshi, S. Jaggi, and A. Sprintson, “Talking 
reliably, secretly, and efficiently: A “complete” characterization,” in 
Information Theory Workshop (ITW), 2015 IEEE. IEEE, 2015, pp. 
1-5. 

[9] B. Dey, S. Jaggi, and M. Langberg, “Codes against online adversaries, 
part i: Large alphabets,” IEEE Transactions on Information Theory, 
vol. 59, no. 6, pp. 3304-3316, 2013. 

[10] L. Nutman and M. Langberg, “Adversarial models and resilient schemes 
for network coding,” in Proc. IEEE Int. Symp. Information Theory, 
Toronto, Canada, Jul. 6-11, 2008, pp. 171-175. 

[11] O. Kosut and L.-W. Kao, “On generalized active attacks by causal 
adversaries in networks,” in Information Theory Workshop (ITW), 2014 
IEEE. IEEE, 2014, pp. 247-251. 

[12] S. Jaggi, “Design and analysis of network codes,” Dissertation, Califor¬ 
nia Institute of Technology, 2005. 

[13] P. Wang and R. Safavi-Naini, “An efficient code for adversaiial wiretap 
channel,” in Information Theory Workshop (ITW), 2014 IEEE. IEEE, 
2014, pp. 40-44. 

[14] D. Dolev, C. Dwork, O. Waaits, and M. Yung, “Perfectly secure message 
transmission,” Journal of the Association for Computing Machinery, 
vol. 40, no. 1, pp. 17^7, January 1993. 

[15] A. Patra, A. Choudhury, C. Pandu Rangan, and K. Srinathan, “Uncon¬ 
ditionally reliable and secure message transmission in undirected syn¬ 
chronous networks: Possibility, feasibility and optimality,” International 
Journal of Applied Cryptography, vol. 2, no. 2, pp. 159-197, 2010. 

[16] Q. Zhang, S. Kadhe, M. Bakshi, S. Jaggi, and A. Sprintson, “Talking 
reliably, secretly, and efficiently: A complete chai'acterization,” Accepted 
for ITW 2015. Long version available at http://personal.ie.cuhk.edu.hk/ 
-mayank/ZhangKB JS14.pdf 














Appendix A 
Auxiliary Lemmas 

Definition 1 (Matrix-hashing). For any N x N square matrix 
A and vector p of length N, the matrix-hash h(A, p) is defined 
as 9 = Ap, where 9 is also of length N. 

Lemma 1. Let q be a prime power. Suppose the N x N matrix 
A is uniformly distributed over and the length-N non¬ 

zero vector p is also uniformly distributed over F^\{0}. Let A 
be a random matrix independent from A and p be distributed 
over with some distribution Then for any p not 

equal to zero, 

Pr \Ap = Ap\ < 

A,A,p q 

Proof: The matrices A and A are uniformly distributed over 
finite field F^, and they are also independent from each other. 
Therefore the difference of the two matrices A — A should 
also be a matrix which is uniformly distributed over 
We use the fact that a random matrix over F, is non-invertible 
with probability at most ^. Since p is non-zero, the equation 
{A — A)p = 0 only if the matrix A — A is non-invertible. 
Therefore we conclude that 

Pr [Ap = Ap] = Pr [(A — A)p = 0] < -. 

A,A,p A,A,p q 

Lemma 2. Let q be a prime power and suppose the N x 
N matrix A is uniformly distributed over F^^^. Let 9 be 
a random length-N vector distributed over independently 
from A and according to an arbitrary distribution Then 

for any non-zero length-N vector p, 

^ N 

Pr [Ap = 9] < —. 

A,0 9 

Proof: Each row Ai of matrix A is uniformly distributed 
over the finite field F ^ and independent from vector p by the 
definition of matrix A. For every i s.t. 1 < i < N, 9^ = Aip 
is also uniformly distributed over F^. Therefore, the vector 9 
is uniformly distributed over F^ and for each i, 

Pr [9i = 0i] < - 
Af 9 

by Schwaitz-Zipple Lemma. By applying the Union bound, 
we conclude that 

PrJAp = 9] = Pr[6l = 9]< 

A,e A,§ 9 

Appendix B 

Proofs eor reliablity without feedback 

In the presence of a causal adversary, a two-part rate- 
region is presented in Section IV. In this Appendix we provide 
supporting proofs for Theorems 1 and 2, which provide 
the claimed characterizations of the two-part rate-regions for 
additive jamming and overwrite jamming. 


A. Proof of Theorem ^ 

1) Achievability for weak adversary regime: Since the 
adversary can only jam in a causal manner, a pairwise¬ 
hashing scheme is helpful to achieve the best rate for the weak 
adversary regime. 

Encoder : The encoder operates over a finite field F^, where 
q = 2^ and we set b — \og{nC) for equal link capacities while 
b = log(nC') for unequal link capacities. Choose N such that 
-\- N{C -f 1) = The codeword consists of C vectors 
each of length -\- N{C -I- 1) over the 
finite field F,. Each is of the form 

hi2f ■•■5 hic]- 

Here, l)i is such that 2 , ■ ■ ■ c together form the 

codeword corresponding to the length-ni?®^^'^ bit message m 
using a Reed-Solomon code of length C and rate C—Zrw—Zwo 
over the finite field F^^. l^i is the hash key generated for each 
row. The value of hash function is defined as hij. 

For each link Li, the encoder also appends C pairwise hashes 
hii, hi 2 , ..., hic corresponding to the C links. 

Hash Function : The idea of Matrix-hashing (see Lemma [T] 
in Appendix is used for the hash function. Notice that the 
randomly generated hash keys are of size N and each length- 
iV^ payload iJi can be rearranged as a N x N matrix Di. We 
pad auxiliary bits before the packets if a square matrix cannot 
be formed. The hashes hij is obtained from the hash function 

h{l}„ti) = Djt,. 

Decoder : After transmission, the received packet of the i-th 
link Li is of the form 

f, = [[/' hZ hg--- hgcl 

For each Lj, link Li and Lj are consistent if and only if 
h'ij = h(Uj,ltl) and hF = In particular, link 

Li is called self-consistent if and only if hL = h(lf 

The decoder Bob first removes the links that belong to 
Zwo by checking self-consistency. Then Bob constructs an 
undirected graph with C vertices and for Vz,j, he connects 
the two vertices Vi and Vj if Li and Lj are consistent. To 
detect the uncorrupted links. Bob adopts a “finding largest 
strategy, i.e., a link is assumed to be uncormpted if 
its corresponding vertex belongs to the largest clique. Finally, 
Bob decodes the message from the C — uncorrupted links 
by Reed-Solomon code. 

Analysis: Before transmission, any two links are consistent 
and the clique formed by Alice is of size C. After adversarial 
corruption, the size of clique formed by Alice (correct clique) 
is of size at least C — Zw On the other hand, Calvin may 
mimic the behavior of Alice and and attempt to form a fake 
clique that is as large as possible. For any two links belonging 
to Calvin is able to make them consistent since he 

can modify the payload first, and then compute matching 
hashes to insert. However, if link Li belongs to Z^w and 
link Lj belongs to Zro, Calvin cannot induce consistency 

^The method, comes up in jsl, is not an NP complete problem. 






since /J', ^ with high probability. This is because 

^ ^ _ y 

with causality, Calvin doesn’t have the ability to observe K j 
and hji when modifying l)i. In this scenario, the probability 
that Calvin can induce h', = is at most - over 

finite field (see Lemma HI in Appendix |A]i. We would like 
to make q larger, i.e., enlarge the size of the packet, to reduce 
the error probability. 

In conclusion, Calvin is able to form a fake clique of size 
at most Zrw If Bob wishes to hgure out the uncorrupted links 
by finding largest clique, the size of correct clique should be 
larger than the fake clique, i.e. C — z^, > Zrw Therefore we 
derive the condition for our weak adversary regime, which is 
z^o + ‘^Zrw < C, and the rate R = C — Zrw — can be 
achieved. 0 

2) Converse for weak adversary regime: Irrespective of the 
encoding/decoding scheme, Calvin can always add uniformly 
random noise to any Zu, links. No information can be recovered 
from the z^jo links and thus no rate higher than C — z^ is 
possible. 

3) Converse for strong adversary regime: In the strong 
adversary regime (z^o + ^Zrw > C), we prove that no reliable 
communication is possible no matter which encoding scheme 
Alice will use. To confuse Bob, the causal adversary Calvin 
will always adopt the following “symmetrization" strategy: (a) 
corrupt the last {resp. Zyjo + 1) links by adding random 
noise if C — z^jo is even {resp. odd), and (b) “attack" either 
the top half or the bottom half of the remaining C = C — z^o 
(resp. C = C — Zwo — 1) links, where the “attack" is defined 
below. This is a viable jamming strategy for Calvin since 
Zrw > (C ~ z.uio)l‘^ in the strong adversary regime. The 
specific attack Calvin chooses is to pick a message m' hrst 
and substitute the original codewords belong to Znw by the 
codewords corresponding to m' . In this way. Bob has no idea 
whether m or m' was transmitted. 

We assume the message M is uniformly distributed from 
the message set fA, denoted by Um- Let Xu be the random 
variable of the codeword. Moreover, Xji{m) is used to rep¬ 
resent the random variable of the codeword conditioned on 
message m. The event r(m, k, to', fc') stands for the scenario 
when Alice chooses a message to and a random key k while 
Calvin chooses a message to' and a random key k'. We can 
show that the probability of the event r(TO, k, to', k') and the 
event r(TO', k', to, k) are exactly the same. 

Pr[r(TO, k, to', k')] 

= UM{m)Pxr,irr.){X)UM{m')Px^(^.){X') 

=UMirn')Pxif^{m’)iX')UMim)Pxii{m)iX) 

=Pr[T{m', k', to, k)] 

Let Py{m,k,m',k') and Py{m'^k',m^k) denote the distri¬ 
butions of the received codeword conditioned on the events 
r(TO, fc, TO',fc') and r{m',k',m,k) respectively. Given the 

^Notice that the links belong to Z^yq are also detectable by simply 
checking the self-consistency. We claim a link belongs to Z\yo if it is not 
self-consistent. However, this process is not necessary since we can detect the 
uncomapted links by finding the largest clique. 


event r(TO, fc, to', fc'), the received codeword would be either 


[^1,. 

c' 

2 

1?' 

A 

, ^C' + l, ■ 



A. Q, 
2 



, ^C' + l, ■ 



with equal probability. The same distribution of the code¬ 
word will be received when the event r{m',k',m,k) hap¬ 
pens. We conclude that the distributions Py{ni,k,m',k') and 
Py{m',k',m,k) are exactly the same. Therefore Bob can¬ 
not distinguish the events r(TO, k, to', k') and r(TO', k', to, k) 
when decoding, and thus has no idea whether to or to' are 
transmitted. The error probability is 

Pr(error) = ^(l-^^) 

if Bob uses an optimal maximum-likelihood decoder (the term 
1- ^sdd is due to the “small” probability that the message 

to' Calvin chooses to use to confuse Bob happens to actually 
match Alice’s message to). 

B. Proof of Theorem 

1) Achievability for the weak adversary regime: The 
pairwise-hashing scheme also works for the overwrite jammer. 
The encoding scheme here is the same as that in the additive 
case. We briefly describe it below for completeness. As earlier, 
we first generate a payload l}i for each link Li using a 
Reed-Solomon code. Next, we append the hash key and 
pairwise hashes to the the payload to obtain the codeword 
lli = \[}iliiihii,hi 2 , ■■■,hic\. After transmission, the re¬ 
ceived packet is denoted by 

As in the additive case, the decoder forms an undirected 
decoding graph with C nodes and connects two vertices Vi 
and Vj if Li and Lj are consistent. Finally, the decoder finds 
the largest clique in the decoding graph to determine the set 
of uncorrupted links. Although the same encoding strategy is 
applied, a different rate-regime is obtained since the overwrite 
jammer is slightly stronger than the additive one. 

Analysis: After transmission, the size of the correct clique 
is at least C — z^ since Calvin doesn’t have privilege to 
jam on these links. At the same time, Calvin is able to 
induce a fake clique of size no larger than Zrw + Zwo- This is 
because on the links that belong to Zrw and ZwOi Calvin 
can overwrite the payloads first and then overwrite the hash 
vectors with appropriately computed replacements.. Therefore 
the corresponding vertices will form a clique of size Zrw+z^io- 
Notice that from the receiver’s perspective, the subset Zrw 
is equivalent to Zwo with overwrite jamming. With additive 
jamming, we have proved the fake clique that Calvin may 
induce is of size Zrw- Therefore as long as Zrw+Zwo < C—Zw, 
the rate R = C — Zw is achievable. 

2) Converse for weak adversary regime: Irrespective of 
the encoding/decoding scheme, Calvin can always arbitrarily 
choose a subset Zw and overwrite these links by adding 
noises. As a result, at most C — z^, links can carry useful 
information and thus the maximum rate is at most C — Zw 





3) Converse for strong adversary regime: The condition 
for strong adversary regime is Zrw + z^o > C/2 with 
overwrite jamming. In this regime, the adversary is able to 
jam at least half of the C links and may perform a similar 
“symmetrization” strategy. Irrespective of the coding scheme, 
Calvin will (a) first pick a message m! and a key k' randomly 
to obtain the corresponding codeword X', (b) then attack either 
the top half or the bottom half (If C is odd, Calvin will first 
“erase” one link by overwrite it with a zero packet). In this 
case, the messages m and m! are perfectly symmetric so that 
Bob is unable to distinguish them. 

If the event rjm, k, m', k') happens, the received codeword 
would be either 


or 


[^1, ...,^c 




with equal probability. Meanwhile, the received codeword 
has the same distribution when the event T{m',k',m,k) 
happens. Therefore the distributions Py{m,k,m',k') and 
Py{m', k', m, k) are also the same and Bob is unable to decide 
which message is transmitted. The error probability is equal 
to Pr(error) = ^(1- ) if a random decision is made. 

Appendix C 

Proofs for reliablity and secrecy without 

FEEDBACK 

A. Proof of Theorem 

1) Weak adversary Regime: 

Converse: Consider the following strategy for Calvin. First, 
on the links in Zw he adds uniformly random noise that 
is independent of the codewords on other links. Next, he 
eavesdrops on all Zr links. We show that, using standard 
information-theoretic inequalities, that it is not possible for 
Alice to reliably and secretly transmit at any rate more than 
C — Zyj — Zr- Notice that Calvin can jam any z^ links and 
can eavesdrop any Zr links. Consider a code of length n that 
achieves an error probability e„ and achieves perfect secrecy. 
The following set of inequalities follow. 


H{M) = H {M\Y) + I {M-Y) 

(a) 

< ne„ +I (M; F) 


links. Then, we get I{M;Yf™) = 0, as Calvin adds uni¬ 
form random noise independent of Alice’s transmissions. 
Also, / (M; = / (M; F^^_|_]^) due to inde¬ 

pendence of added noise. Finally, we use the fact that 
for the set of uncorrupted links, we have Yc\Zw = 
Xc\z„, which gives /(M;F^^+i) = /(M;X£+i). For 


getting (e), we use the fact that for any subset Zji of 
links of size Zr, the secrecy requirement imposes that 
/ (M; XzJ = 0. Thus, I (M; ) = 0. In addition, we 

have < H . 

Lastly, (f) follows from the fact H < 

H < C — Zw — Zr, where the second inequality 

is due to unit link capacities. 

Achievability: Alice first appends n{C — z^ — Zr) message 
symbols with nZr uniform random key symbols to form 
n{C — Zyf) super-message symbols. Then, she uses the achiev¬ 
able scheme mentioned in the proof of Theorem 1 (case 1) 
composed of a (C, C — Zw) Reed-Solomon code together with 
the pairwise hashing scheme. We require that the generator 
matrix of the Reed-Solomon code consists of a Cauchy matrix. 

Now, Bob can locate the set Zw of corrupted links using 
pairwise hashing and uses the Reed-Solomon code to decode 
the super-message symbols from the remaining links. Then, 
Bob separates the random keys and the message symbols from 
the super-message symbols, since the first n{C — Zw — Zr) 
symbols of the super-message are the message symbols. 

For secrecy, we show that Calvin cannot infer any infor¬ 
mation from the links he eavesdrops. We denote the set of 
random keys by k and the corresponding random variable 
by K. Further, let Xz^ denote the links being eavesdropped. 
Consider the following set of inequalities. 


I{M-Xzg = H {Xzg - H (XzgM) 

(a) 

< nZr-H{XzJM) 

(h) 

<nZr-H {Xz„\M) + H {XzgM, K) 
nZr - I {Xz^-,K\M) 
nZr - H {K\M) + H {K\M, XzJ 
nZr -H{K) + H {K\M, Xzg 

(0 

<H{K\M,Xzg, (2) 


ne„ + I (M; F^^™) + / (M; Yg^, jYf-) 




< nCn + I (M; Xg_f_g 


(d) 


where (g) follows from from the fact that each link has 
unit capacity and Calvin can eavesdrop at most Zr links, (h) 
follows from the non-negativity of entropy, (i) and (j) follow 
from the definition of mutual information, (k) follows because 
< nen -h I (M;Xg+g) -h I (M; Xg_^^^_^^lXg+g) keys are independent of the message, and (1) follows from 

the fact that the keys are uniform random, giving JT (K) = 
nZr- Now, in order to prove secrecy, we need to show that 
H{K\M,Xzg — 0. In other words, one can decode the 
(1) keys from Xzj^ and M. Let G(^Xz ) denote the rows of the 
Cauchy generator matrix corresponding to the symbols Xz^- 
Therefore, we have 


< nen + H 
if) 

< ne„ -C C - Zw - Zr, 


where e„ —0 as n —> oo. Here, (a) follows from 
Fano’s inequality. Inequalities (b) and (d) follow from the 
chain rule for mutual information. To obtain (c), we as¬ 
sume without loss of generality that Calvin jams first Zw 


Xzn - G(^Xz 









To prove that H (iT|M, Xz^^) = 0, one needs to show that 
the following system of linear equations can be solved. 


Xz 


R 




'M 

[no\ 


K 


(3) 


where I denotes identity matrix of size n(C—Zyj — Zr) x n{C— 
Zw — Zr), and O denotes zero matrix of size n{C — z^ — Zr) x 
nzr- First notice that G(^Xz ) ^ Cauchy matrix since it is a 

sub-matrix of a Cauchy matrix. Then, using the property that 
any square sub-matrix of a Cauchy matrix is non-singular, it is 


straightforward to show that the matrix 
Therefore, the linear system ([^ can be 


is invertible. 


inverted, and we have 


H{K\M,Xz^)^0. 


2) Strong adversary Regime: Notice that even in the ab¬ 
sence of secrecy, no positive rate is achievable in this regime. 
Adding the extra requirement of secrecy can only decrease the 
communication rate. Thus no communication at positive rate 
is possible in this regime. 


B. Proof of Theorem 

For the weak adversary case, the converse and achievability 
proofs follow from the same arguments as in the proof of 
Theorem 5 and is omitted for brevity. 

For the strong adversary regime, the rate without the secrecy 
requirement is zero. This implies that no positive rate is 
possible when secrecy condition is added on top of reliability. 


Appendix D 

Proof for reliability with passive feedback 
A. Proof of Theorem 

Noting that the rate cannot exceed C — z^ even with 
feedback (since Calvin can always inject random noise on z^ 
links). Therefore, to prove the claim of Theorem [7j it suffices 
to show the following: 

• (a). C — z^ is achievable whenever Zr < C or C > 2zu,, 

• (b). No positive rate is possible when Zr = C and C < 

1) Proof of (a): We prove the achievability of the rate C — 
Zw by partitioning the parameter set fb — {^r < C} U 
{C > 2zu,} into disjoint sets Z\ = \Zr < C} and Z^ = 
{zr = C} n {C > 2zw}, and using different coding schemes 
in the two sets. 

Achievability for Z\: The code operates over two rounds. In 
the first round, Alice uses an erasure code of length C capable 
of correcting upto Zw erasures. Upon observing the codewords 
received by Bob (through passive feedback), Alice computes 
random hashes of each of the C received codewords and sends 
these hashes on the links which are not corrupted in the first 
round. 

Formally, we show that the rate C — z^ is achievable 
(and hence, any smaller rate is also achievable). Alice first 
chooses a blocklength n > [log 2 C] and encodes an nR-h\t 
message over n + C^/n time slots using a two-round scheme 
as follows. Round 1 : In the first round, Alice uses n time 
slots to transmit using the following scheme. Alice treats m 
as R consecutive symbols mi, m 2 , ■ ■ ■, mu from a finite field 


F 2 n of size 2”. Next, Alice encodes (mi, m 2 ,..., Wfl) to 
\ ■ ■ ■ 1 using a Reed-Solomon code ca¬ 
pable of correcting upto Zw erasures and sends on the link 
Li for each i = 1, 2,..., C. These codewords are corrupted 
by Calvin and Bob receives ... , 1 )^^). 

Alice also observes causally using the passive feedback 
available to her. Based on her observation, Alice partitions 
Li, L 2 , ■ ■ ■, Lc into two sets - consisting of all links Li 
where xf''^ = and consisting of all links Li where 
Xi yi. Note that Zy,GZwG {Li, L 2 , • • • , Lc}. 

Round 2 : In the second round, Alice uses the feed¬ 
back seen from first round and transmits random hashes 
over 2C^n time slots using the following scheme. Alice 
picks C independent random keys p\, p2, ■ ■ ■, pc und com¬ 
putes hashes pi),P 2 ), • ■ Kv'c -,90), each 

of length using the matrix hash scheme (See Ap¬ 

pendix 1^. Next, Alice transmits the codeword x^f^ = 
[h{y[^\ pi) P2) ... h{y'}}\ pc) Pi P2 ■ ■ ■ pc] on every 

link Li £ Zz and a random length-2C'-v/n vector on every 
link Li £ Zx- 

Decoding: Bob first partitions the set of links into sets Zz 
and Zx using the following classification. 

• If Bob determines that the hash values and keys specified 
by yl are consistent with all the received codewords in 
the first round, i.e., he assigns Li to Zz- 

• Else, Bob assigns Li to Zx- 

Finally, if the size of Zz is at least as large as C — Zw, Bob 
uses the codewords : Li £ Zz) to decode the message. 
Else, he declares an error. 

Analysis: Note that Zz includes every link that is not cor¬ 
rupted by Calvin (and possibly some other links as well). Thus, 
jZzj > C — Zw Since the Reed-Solomon erasure correcting 
code can recover from any C—Zw correct symbols out of 
a; 2 ^\ ..., in order to prove that Bob can successfully 
decode m with a high probability, it is sufficient to show that 
Zx Q Zx with a high probability. Without loss of generality, 
we show the above when Zw < C (since zero rate is trivially 
achieved when Zw = C). 

Let Lg £ Zx- Since z^ < C, there is at least one link Lt 
such that y^jx’ is observed by Bob (and hence by Alice), but 
not by Calvin. This implies that in the second round, even 
if Calvin knows pt, he can only randomly guess a consistent 
replacement for h{y^\pt). Thus, 

Pr (Zx ^ Zx) 


< 

Pr G 


S £ Zx) 



= 

Pr (yf^ 


■■h(yc\M Pi- 

• - pc] 



for some pi, 

■ • •,Pc) 


< 

Pr f 

'(y 

S / - - , 

II 

y) 




i)+i 

< 

2"'^. 


















In the above, the upper bound on the guessing probability 
follows from Lemma |2] 

Achievability for Z 2 : In this parameter setting, we note that 
since Zr = C, Z^j\/ = and Z^/o = 0- Using the fact that 
< C12, Theorem we can achieve a rate C — z^-w — Zwo 

without using feedback. 

2) Proof of (b): Next, we show that Zr = C and Calvin 
controls more than half the links. Bob cannot distinguish 
between Alice and Calvin. Let Z\ = {Li,... ,Lyc/ 2 \} and 
Z 2 = {L\c/ 2 ]+i, ■ ■ ■, Lc}- Let Ze = {L[c/ 2 ] } if C is odd, 
and 0 otherwise. Note that \Zi\ = \Z 2 \ < Zw 

For any message m and any code chose by Alice, Calvin’s 
attack strategy is the following. First, Calvin adds a uniformly 
random noise sequence on any link in Ze- Next, he selects a 
random message m' and chooses a set Z' uniformly at random 
from {Zi,Z 2 }- Finally, he uses Alice’s coding strategy to 
encode the message m' over the links in Z'. Calvin can do 
this as Zr- = C and therefore, anything that is seen by Alice 
and Bob is also seen by Calvin. 

Now, Bob is unable to reliably distinguish between follow¬ 
ing two cases: 

• Alice’s message is m and Calvin’s message is m!. 

• Alice’s message is m' and Calvin’s message is m. 

Thus, the probability of error for Bob is at least 1/4 if Alice’s 
rate is non-zero. □ 

B. Proof of Theorem 

From the point of view of the proof of Theorem the 
overwrite jamming case differs from the additive one only in 
the respect that even on the links in Zwo, Calvin knows the 
output (since he can replace it with anything of his choice). 
Thus the scheme from the proof of Theorem |7] works only if 
there is at least one link which is neither seen nor corrupted 
by Calvin. 

The converse also follows similar arguments. If Calvin can 
see the output on all the links, he can follow a symmetrization 
strategy to confuse Bob if the rate is larger than C — 2{zrw + 
Zyjo)- The idea is that if Calvin sees everything also seen by 
Bob and Alice, he can follow’s Alice’s coding scheme exactly 
but with a different message. 

The proof is essentially the same as the proof of Theorem 
7, and so we omit it here. 

Appendix E 

Causal Jamming with Passive Feedback and 
Secrecy 

A. Proof of Theorem 9 

Note that the converse arguments in this case are straight¬ 
forward. When Zw > Zr, the rate cannot exceed C — Zw 
since Calvin can always inject random noise on Zw links. 
When Zr > z^, any set of Zr links cannot carry meaningful 
information due to secrecy requirement, which results in the 
rate C — Zr- 

We present the proof of achievability for the regime Zr > 
Zru- The scheme for > Zr is analogous. 

Encoding: The protocol operates over multiple rounds in four 
stages. Alice divides nR-hit message into NR number of 


symbols, where N < n is such that N\n. Observe that each 
symbol is over the finite held of size q = 2"’/^. Let z^, 
Zw ^ z-u], be the number of links that Calvin chooses to corrupt 
in hrst N rounds. Let ij be the round at which Calvin chooses 
to corrupt /-th of the z^, links that he can corrupt. Notice that 
1 < ii < i 2 < ■ ■ ■ ^ < N. In each round, Alice transmits 

encoded symbols over C links as described below. 

Stage 1: The hrst stage is from rounds 1 < i < ii. In 
the hrst stage, in each round, Alice encodes R = C — Zr 
message symbols (each over F 2 n/N) together with Zr random 
keys (chosen uniformly and independently over F 2 ../iv). Let 
us denote the R message symbols transmitted during i-th 
round as m^*\rn 2 *\--- and the Zr random keys as 

, • • • , . Then, alice generates C encoded symbols 

for the Lth round as 




r (On 

m\ 

(»)' 

x\ 



(») 

X 2 

= G 


(t) 
Xc _ 




where G is a C x C Cauchy matrix with each entry from 

W2n/N . 

Stage 2: The second stage is from rounds Zi -f 1 < 
i < N. Consider the case when Calvin has corrupted the 
j-th link (1 < j < Zm). Since Alice can overhear the 
transmissions till round she knows the links that Calvin 
has corrupted so far. We denote the set of corrupted links 
as Zw = {li,--- ,lj}, and its complement as Zw^\ Let 

be the set of codewords 
received by Bob in round z — 1 on the corrupted links. Then, 
the codewords transmitted in round i (ii + 1 < i < N), in 
stage 2, are given as 



,(* 



m: 





,(0 _ 

(U) “ 




(5) 


( 6 ) 


where G_(i^) is the sub-matrix of G formed by taking the 

^ -fz -) 

rows of G corresponding to indices in the set Zw . 

Stage 3: Since Alice overhears the symbols received by 
Bob in each round, Alice can easily determine L, * 2 , • ’ ’ > 

In stage 3, Alice sends pair of corrupted links and corrupted 











indices, i.e., = {ii, * 2 , ^ 2 ; • • • on all of 

the links 1 < I < C. 

Stage 4: In the last stage, Alice computes a randomized 
hash of for each 1 < / < C, as follows. First, 

Alice picks C independent random keys pi, p 2 , ■ ■ ■, pc 
computes hashes H = pi), P 2 ), ■ ■ ■, 

h{yQ'^~^^\ Pc)}, each of length using the matrix hash 

scheme (see appendix). Next, Alice transmits the hash H on 
every link Li G L'> ^ random n-length vector 

on every link Li G L 

Decoding: The first phase of decoding works in the same way 
as in the scheme without secrecy. Bob hrst partitions the set of 
links into sets and using the following classihcation. 


• For each llink L;, if Bob determines that the hash values 

and keys specihed by Hi are consistent with all the 
received codewords on that link in the first three stages, 
i.e., he assigns L; to Z./. 

• Else, Bob assigns Li to Zy,. 

From the links in Z./ , Bob determines the corrupted links and 
the rounds from which Bob started corrupting the links, i.e., 
{ii, Zi; t 2 , ^ 2 ; • • • Bob then decodes the codewords 

for each round starting from round 1 using the appropriate 
links for each round. In particular, he uses all the links for 
rounds 1 < i < ii — 1, all the links except li for rounds 

+ 1 < i < ^2 — 1, and so on. If the set Z./ is empty, he 
declares an error. 

Analysis for decoding: Note that Zy includes every link that 
is not corrupted by Calvin. In order to prove that Bob can 
successfully decode m with a high probability, hrst, we need 
to show that Z^™ = Zy with a high probability. This proof 
is analogous to the case without secrecy. 

Next, we need to show that Bob can decode for each round. 
In stage 1, till rounds ii — 1, no link is corrupted by Calvin. 
Thus, Bob can use and invert G to decode the messages 
(and keys as well). In stage 2, let us consider the rounds from 
ij + 1 < i < ij+i — 1. In each of these rounds, notice that on 
uncorrupted links Zw^\ we have Thus, Bob 

can use Q along with the receivecf codewoi^s in previous 
round on corrupted links y to get the following system 
of equations 



,F) 1 

i^j ) 



0 f/.j 


k} 


(*) 


^Zr-j 


(7) 


where 0 is ajxC — j zero matrix and Ij is a j x j identity 
matrix. Using the property of Cauchy matrix that any of its 
square sub-matrices is non-singular, it is easy to show that one 
can solve 0. 


Remark: Note that in each of the rounds ii, ^ 2 , • • • , Bob 
cannot decode the message symbols since Calvin corrupts the 
new link. Therefore, the number of symbols (messages plus 
keys) that can be correctly conveyed to Bob is N — Zyj > 
N — Zw ^ N for large N. 

Analysis for secrecy: We show that in any round, Calvin does 
not get any information about the message symbols. In the 
hrst stage, in round i, f < i < ii, Calvin gets the following 
system of equations on the links Zj. that he can observe: 


„(*) 






(i) 

R 

■H) 


m 


Ai) 


( 8 ) 


where Gz,. is the sub-matrix of G rows corresponding to links 
in Zu,. Using the properties of Cauchy matrix, we can prove 
that / (^M ; ^ = 0 using the same steps as in the case 
without passive feedback. 

Next, we prove secrecy for every round i, ii -\- f < i ^ N, 
in stage 2. Consider the case that Calvin has corrupted j links, 
1 < j < 5^. Let ziw be the number of corrupted links that 

Calvin can also eavesdrop, and Zw), be the remaining corrupted 

(i) (i) 

links (zrw -f zlis = j). Note that Calvin observes (left hand 
side of) the following system of equations: 


(i) 

Xzl 


■ Gz, ■ 

„F-i) 

J 




(i) 


(t) 

rrijf 

kG) 

iZ-(i) 

(”-l) 

ViU) 


(9) 


where 0 is a j x zfH zero matrix, and /.(j) is zfU x zfH 

ii) 

identity matrix. Out of the eavesdropped codewords Xz/, the 
ones on the read-write links are random keys ( [T2l i. Thus, in 

round i, the number of codewords containing messages that 

(i) (i) 

are observed by Calvin is Zro + Zrw — Zwo = Zr — Zwi. 

Now, observe that Alice mixes Zro—j explicit random keys. 
Out of the randomness generated over j corrupted links by 
Calvin Zw^'^ using previous round codewords, Calvin knows 
y:(j) due to his eavesdropping power on those links. Since 

(i— 1 ) 

he cannot eavesdrop on remaining of the j links, act 

as random keys. Thus, the total number of random key°s used 
by Alice are {zro — j) + U ~ ^rw) = Zro — ziw. Hence, the 
number of keys equals the number of observed codewords. We 
can prove that no information is leaked using the properties 
of Cauchy matrix, using the same technique as in the case 
without passive feedback. 



















B. Proof of Theorem 10 

The flavor of the scheme and the proof remains the same as 
above. The key difference is the following. In stage 2, when 
Calvin corrupts a link, Alice stops using that link and, on the 
contrary to the additive noise case, she does not initially reduce 
the number of explicit keys. After Calvin corrupts z^o links, 
for each additional corrupted link starting with {zwo + 1)- 
th link, Alice reduces the number of explicit keys by one. 
Besides, she also stops using that link. Therefore, essentially, 
Alice does not send any data on (up to) Zw links, and on 
remaining links she mixes message symbols with (at least) 
Zro random keys for secrecy. 

We first present achievability scheme. 

Encoding: The protocol operates over multiple rounds in four 
stages. Alice divides ni?-bit message into NR number of 
symbols, where N < n is such that N\n. Observe that each 
symbol is over the finite field of size q = 2"/^. Let z^, 
Zw < Zw, be the number of links that Calvin chooses to corrupt 
in first N rounds. Let ij be the round at which Calvin chooses 
to corrupt j-th of the Zw links that he can corrupt. Notice that 
1 < < t 2 < • • • < < N. In each round, Alice transmits 

encoded symbols over C links as described below. 

Stage 1: The first stage is from rounds 1 < i < ii. In the 
first stage, in each round, Alice enodes R = C—Zro—Zwo—Zrw 
message symbols (each over F 2 n/N) together with Zr random 
keys (chosen uniformly and independently over F 2 ,>/jv). Let 
us denote the R message symbols transmitted during z-th 
round as mj*\m 2 *\-’' random keys as 

A: 2 *\ ■ ■ ■ 7 kz"}- Then, Alice generates C encoded symbols 
for the z-th round as follows. 



where G is a C x C — Zwo Cauchy matrix with each entry 
from F 2 n/N. 

Stage 2: The second stage is from rounds zi -f 1 < z < W. 
Consider the case when Calvin has corrupted the j-th link (1 < 
j < Zw)- Since Alice can overhear the transmissions till round 
ij, she knows the links that Calvin has corrupted so far. Once 
Calvin corrupts a link, Alice starts sending random symbols on 
that link from the next round. Essentially, Alice stops using the 
corrupted links for any meaningful transmission. If j < Zwo, 
Alice keeps mixing Zr keys, else she reduces the number of 
keys by one for each corrupted link. 

To describe this formally, we denote the set of j links that 
have been corrupted up to round ij as Zw = {(i, • • • ,lj}, and 
its complement as Zw ■ The codewords transmitted in round 


z (zi -f 1 < z < N), in stage 2, are given as 


where G_(i^) is the sub-matrix of G formed by taking the 

^ “(i •) 

rows of G corresponding to indices in the set Zw and first 
R Zr — {j — Zwo)^ columns, and 

GO 

V-0-z™o)+-ri 

GO 

Stage 3: Since Alice overhears the symbols received by 
Bob in each round, Alice can easily determine zi, Z 2 , • • • ,ii„- 
In stage 3, Alice sends pair of corrupted links and corrupted 
indices, i.e., = {zi, ^i; * 2 , ^ 2 ; • • • on all of 

the links 1 < ^ < G. 

Stage 4: The last stage is similar to the second stage in 
the scheme for only reliability. The purpose of this stage is to 
allow Bob to determine the corrupted links and the correspond¬ 
ing rounds. In this stage, Alice computes a randomized hash 
of the symbols received by Bob in the previous N rounds, 
i.e., for each link 1 < ( < G, as follows. First, 

Alice picks G independent random keys pi, p 2 , ■ ■ ■, pc 
computes hashes Hi = pi, I < I < C, each of 

length \^/n\ using the matrix hash scheme (see appendix). 
Next, Alice transmits the hash H on every uncorrupted link 
Li € and a random G[-^/zz]-length vector on 

every corrupted link Li G 

Decoding: The first phase of decoding works in the same way 
as in the scheme without secrecy. Bob first partitions the set of 
links into sets Z^ and Zx using the following classification. 

• For each llink L;, if Bob determines that the hash values 
and keys specified by Hi are consistent with all the 
received codewords on that link in the first three stages, 
i.e., yG-^+t)^ he assigns Li to Z^. 

• Else, Bob assigns Li to Z^. 

From the links in Z^ , Bob determines the corrupted links and 
the corresponding rounds from which Bob started corrupting 
the links, i.e., {zi, ^i; * 2 , ^ 2 ; • • • Bob then decodes 

the codewords for each round starting from round 1 using the 
appropriate links for that round. In particular, he uses all the 
links for rounds 1 < z < zi — 1, all the links except li for 
rounds Zi -f 1 < z < Z 2 — 1, and so on. If the set Z^ is empty, 
he declares an error. 

Analysis for decoding: Note that Z^ includes every link that 
is not corrupted by Calvin. In order to prove that Bob can 
successfully decode m with a high probability, first, we need 
to show that Zw^'“^ = Zx with a high probability. This proof 
is analogous to the case without secrecy. 







Next, we need to show that Bob can decode for each round. 
In stage 1, till rounds ii — 1, no link is corrupted by Calvin. 
Thus, Bob can use and use any C — z^o rows of G to 
decode the messages (and keys as well)j^ 

In stage 2, let us consider the rounds from ij + 1 < i < 
ij+i — 1. In each of these rounds, notice that on uncorrupted 
links Zw^\ we have Thus, Bob can use ( [T5| ) 

to get the following system of equations 


m 


(t) n 
1 


,(* 



m 


(*) 


hG) 

LS,-o-z_)+J 


( 13 ) 


Observe that the number of rows of G -ua is C— j, while the 
number of columns is i? + — (j — Ziuo)~^ = G — z^o — (j ~ 

Zwo)'^- If j < 0u,o, Bob can consider any G — Zyjo rows of 
the Cauchy matrix G to decode for the message and key 
symbols. If j > z^o, square and it is non-singular 

being a Cauchy matrix. 

Remark: Note that in each of the rounds *i, ^2, • ’' Bob 

cannot decode the message symbols since Calvin corrupts the 
new link. Therefore, the number of symbols (messages plus 
keys) that can be correctly conveyed to Bob is N — z^j > 
N — Zw ^ N for large N. 

Analysis for secrecy: We show that in any round, Calvin does 
not get any information about the message symbols. In the 
first stage, in round i, 1 < i < ii, Calvin gets the following 
system of equations on the links Zj. that he can observe: 


xV = Gz^ 


mi 




(14) 


where Gz^ is the sub-matrix of G rows corresponding to links 
in Z^. Using the properties of Cauchy matrix, we can prove 
that I — 0 using the same steps as in the case for 

secrecy without passive feedback. 

Next, we prove secrecy for every round i, ii -\-1 < i < N, 
in stage 2. Consider the case that Calvin has corrupted j links, 
i "G 3 Zw Let zfi] be the number of corrupted links that 

Calvin can also eavesdrop, and Zwo be the remaining corrupted 

(?) (?) ± 
links (zrw + Zwo = j)- Note that Calvin observes (left hand 


®Here, we use the property of a Cauchy matrix that any of its square sub¬ 
matrices is non-singular. 


side of) the following system of equations: 




= 0 ) 




= G 






m 


(i) 


( 15 ) 


k 


(?) 

z^-{j-z^^) + ^ 



k 


(?) 

Zr-(i-Z™o) + -|-l 


^(?) 

- Zr- — {j — Z^a)'^+zf2- 


( 16 ) 


(i) 

On Zrw links, Calvin observes random keys. Thus, we need 

(?) 

to worry about the remaining of the Zr — Zrw links that he 
eavesdrops. The number of random key symbols mixed with 
message symbols is Zr — {j — Zwo)^- If j < Zwo, the number of 
mixed keys is Zr, while if j > Zwo, the number of mixed keys 
is Zr (^3 Zwo^ — Zr Zrw ^wo Zwo ■ Since Zwo ^ Zwoy It is 
easy to see that the number of mixed keys is greater than equal 
to the number of eavesdropped symbols involving messages. 
Using the properties of Cauchy matrix, one can easily prove 
that the secrecy requirement is satisfied. 

Converse : Consider a strategy for Calvin wherein he over¬ 
writes zero symbols on the Zwo links that he can only corrupt. 
He eavesdrops all the Zr links of his choice. We consider that 
the communication is over multiple rounds, say t number of 
rounds. 

H{M) = i/-f 

= "£?? +1 (^; Yzrlllr^) +1 
+ / (M; \Ytl?lzr.+Zr^) 

new + I (M; 

< new + H(Ytt._^^.-z.^) 

id) 

— “f n{C Zwo Zro Zrwf 


where e„ —> 0 as ??- —> 00. Here, (a) follows 

from Fano’s inequality, (b) follows from the chain rule 
of mutual information. To obtain (c), first note that 
I < I (^M; by data processing 

inequality. But, for secrecy, we need / (^M ; ^ = 0. 

Also, I (^M;Yzl'f^ = 0 since = 0 due to 

Calvin’s attack strategy. Finally, (d) follows from unit link 
capacities. 














